Merge pull request #585 from kubescape/C-0013-improve-remediation

C-0013 - clarify remediation
kubescape · Feb 29, 2024 · 665127e · 665127e
2 parents bb4c497 + ff9aaf0
commit 665127e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/controls/C-0013-nonrootcontainers.json b/controls/C-0013-nonrootcontainers.json
@@ -7,12 +7,12 @@
         ]
     },
     "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.",
-    "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext or container securityContext and use user ID 1000 or higher, or make sure that runAsNonRoot is true.",
+    "remediation": "If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.",
     "rulesNames": [
         "non-root-containers"
     ],
     "long_description": "Container engines allow containers to run applications as a non-root user with non-root group membership. Typically, this non-default setting is configured when the container image is built. Alternatively, Kubernetes can load containers into a Pod with SecurityContext:runAsUser specifying a non-zero user. While the runAsUser directive effectively forces non-root execution at deployment, NSA and CISA encourage developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges.",
-    "test": "Verify that runAsUser and runAsGroup are set to a user id greater than 0, or that runAsNonRoot is set to true. Check all the combinations with PodSecurityContext and SecurityContext (for containers).",
+    "test": "Verify that runAsUser is set to a user id greater than 0 or that runAsNonRoot is set to true, and that runAsGroup is set to an id greater than 0. Check all the combinations with PodSecurityContext and SecurityContext (for containers).",
     "controlID": "C-0013",
     "baseScore": 6.0,
     "example": "@controls/examples/c013.yaml",